My name is Jason. This talk is on examining the bit squatting attack surface. For those
of you who are regular DEF CON attendees, you may remember a talk from a couple of years
ago. There was a talk by the name ‑‑ by a man by the name of Artem Dyneberg. He published
a talk on bit squatting and registered several domains which ended up getting traffic and
kind of showed that it works. So if you know what ‑‑ if you know what typo squatting
is, then you'll be able to understand the concept of bit squatting. It's not a whole
lot different. So where typo squatting is registering a domain name that is maybe confusingly
similar that somebody might mistype on a keyboard, bit squatting involves actually registering
domain names that are one binary digit different. So if you think about the way domain names
are represented in the memory of the computer, it's a little bit different.
Most computers use ASCII and so there's going to be a series of binary digits that represent
each character that formed the domain name. And I've got an example here where Twitter.com
can flip a bit and become Twitter2.com. So really there's nothing fancy about this attack.
It really involves nothing more than registering domain names. But this was a great talk and
I was really impressed by it. And hats off to Artem Dyneberg.
Thank you for being the first one to bring it to everyone's attention.
This is a view of the ASCII table, at least a lot of the characters that are in the ASCII
table and their binary representation. I'm purposely not showing things like the ASCII
control characters. Actually ASCII was a specification that was built a long time ago, back in the
late 50s and early 60s, back when we still had printing teletype machines. So several
character codes that are in the 7 bit ASCII table are things like line feed control codes
and various other control codes like delete. When you had a printing tape and you made
an error, the reason why all ones in 7 bit ASCII is the delete character is because they
would just print ones all the way across and that would signify, oh, we made a mistake
and would let them move on in terms of the printing teletype. So there was actually people
who argued back during the beginning when they were making the ASCII specification that
they shouldn't include lowercase characters at all. Other people were arguing that we
should have the lowercase letters interleaved with the uppercase. You might have a big
A, little A and so on. But this ended up being the final sort of ASCII specification.
It got picked up in the early 80s with the advent of personal computers. But this is
really where we get the landscape which makes bit squatting possible.
And in my previous example, the R in Twitter, I've highlighted here, you can actually see
that there's several other characters that are part of the table which are different
only by one digit. If you were to flip a zero into a one or a one into a zero, you
could get all of these other things. And so what Artem Deinberg did was prove
that you've registered a bunch of domains and prove that he was able to get traffic
that was being misdirected his way as a result of memory errors. Errors that could have been
occur in RAM which are passed into whatever application, usually your web browser that's
doing the most damage. He did talk about some of the causes. So these
are the main causes of bit squatting errors or bit errors in memory. Cosmic rays, they're
quite frequently hitting the earth, 10,000 per square meter per second. Heat, I think
the upper range on the iPhone operating temperature is only 95 degrees. So if you
have been carrying your iPhone out around Vegas, you've been exceeding those operational
parameters. There's an interesting paper that came out earlier this year about nuclear explosions
and using DNS requests and bit errors in the DNS requests to actually determine when
low‑yield nukes have been exploded. And then finally also defects in manufacturing.
So as I started thinking about this, I thought it was a really unique idea. Typically I'm
used to being the one making the mistakes. I'm used to being the one making the mistakes
and having all the problems boil down to human errors, missing a semi‑colon in your program
or whatever. This is the type of thing where you've done everything right, but because
of an error in the memory, all of a sudden your traffic is going to some other place
that you didn't even intend for it to go. So one of the characters that's particularly
fascinating is the letter N, which by a flip of one bit can become the dot. And while that's
not one of the necessary characters ‑‑
According to the RFC for DNS names, it does separate the various parts of a DNS name.
So if we have an N inside of a domain name that can become a dot, you can do some interesting
things like the domain name Windows update. If you take that first N and convert it into
a dot, you end up with the domain name dozeupdate.com. Similarly with the Symantec live update.
And so we registered some of these. And these were some of the queries that we were able
to get from the Internet. Lots of people looking to download Windows updates, but instead
of going to Windows update, they were going to our domain dozeupdate.com. And again, here's
a similar example for the Symantec live update. You can see that the N flipping into a dot
causes their traffic to be directed to us instead.
Because it's bidirectional, you can also have dots that flip into becoming a letter N. So
one of the best examples that we registered was the YTIMG.com. They use this content delivery
network in a lot of their domain names ‑‑ I mean, in a lot of their web pages to serve
content. And what we did was replace the dot that separates the third level subdomain
name from the second level and then registered the entire thing. So we've registered SNYTIMG.com.
Another interesting one was the state of New York. So every state in the United States
has a state dot something dot U.S.A.
You can basically replace that second dot there from the right with a letter N and see
some traffic. So here's an example from YouTube. It actually has a referrer from YouTube. And
this was going to our SNYTIMG.com domain. And here's an example. The OMH subdomain is
actually a real subdomain at the state of New York. It's the office of mental health.
But we were getting lots of
different requests from them.
So outside of the characters that are within a domain name itself, there's other ways that
we found ‑‑ and part of the inspiration for this idea came from this slide which
was originally published by Artem Dynaberg in his 2011 research. And if you look at this
graph, you'll see that the most popular BitSquad domains that he registered all happen to be
associated with web applications. And so I started thinking about that a little bit more.
And, you know, here's the general structure for any URL and HTTP URL. And you'll notice
that there's a scheme, host name, path and so on. But there's a couple of places, I'll
highlight them here in red, where we have forward slashes. And so if you think about
BitSquads in a context in which they most likely appear is going to be inside of web
links. And there's a relationship between the letter O and the forward slash. So we'll
where by the flip of one digit, one becomes the other. And so how can we use this? Well,
if you've got a domain with the letter O in it in the right place, you can actually attack
domains which weren't possible before. So you see I've got some examples here in the
.mil top level domain. I've also got some examples in .edu. These are protected domains
where I wouldn't be able to register a domain ordinarily. But by taking advantage of the
nature of the O inside the domain, flipping to a slash, what happens is it ends up cutting
off the URL early. And the traffic ends up going to some international or country code
level domain. And so we've got several examples here. Here's an example of an .edu. This
was this first example, ecampus.phoenix.edu. And so we registered ecampus.ph. And here
was actually a request. Somebody has a small
smart phone and they've got an icon on their home screen. And whenever they click the home
screen, one of the byproducts is refetching the Apple Touch icons. And so that's actually
what you're seeing here represented in this request as a request for the Apple Touch icons.
We got similar stuff from some other domains. But I'm going to leave those examples. Those
examples are in the white paper. The ‑‑ the ‑‑ as the ‑‑ continuing in the
textual nature, not only can you have an O turn into a slash, but you can have slashes
turn into the letter O. And why is this important? Well, the browser actually allows or kind
of silently fixes errors that might occur as a result of this. So if you can imagine,
you've got a domain like slash dot here. But imagine that the second slash from the
left turns into a letter O by virtue of a bit error. What happens is the browser sees
HTTP colon and a single slash and then a domain name and thinks, oh, this must be
an error. I really need to take you to this domain O slash dot. So it will actually helpfully
redirect you to the wrong place. And here's an example of that. Again, someone
fetching their Apple Touch icons. They've got a slash dot web link basically stored
on their home screen of their phone. I'm seeing a lot ‑‑ I'm seeing a lot of
traffic from mobile devices, honestly.
Okay.
Let's see. Am I going the right way? Okay. So we've got additional URL delimiters
that are possible. So the letter C has a relationship with the pound character. And
people that work in URLs will be familiar with the pound character. It basically shows
you where you've got an anchor tag. So if you can imagine a full host name with a letter
C in it at the right place, when that C turns into an anchor tag, it's going to be an anchor
tag. It actually cuts short the domain. And a couple of really interesting examples
here. PKI dot NRC dot gov. That's the Nuclear Regulatory Commission. I actually did buy
that domain so no one else would be able to. PKI dot NR is in Nauru. And it took a
while for them to ‑‑ you have to register some of these domains by faxing a paper in
and stuff like that. So some of these country code registries are a little bit less organized
than others, let's say. But some others here we've got at CDC.gov, happens to have a bit
squad at emergency.CD, which is the Democratic Republic of Congo. And USCG.mil and .US. So
some interesting examples there. This is an example here basically showing that the browser
will happily ‑‑ if you see in the location tag, it's going to a .US domain name. That's
what the browser is basically helpfully correcting for us and sending us to the wrong place.
Let's see. This here is another example. This is an interesting one that the C, if it has
a dot before it, will still work. And if you look at the location bar here, you'll see
the real location.
The location that you would be going to if, in fact, the C in .CN was to flip into an
anchor tag. So these techniques will still work even with errors in the browser.
So these are interesting. URLs and the domain delimiters. But we also took a level at the
‑‑ took a look at the top level domains. So most of the top level domains don't have
bit squads. You know, .com, .net, so on. There are some in .pro and .coop are the exceptions.
They actually have an O‑based slash sort of bit squat present. But the CCTLD bit squats
have several, depending on where you're at. So there's some domains that only have ‑‑ have
no bit squats in the country code space and some that have several. In fact, the Ivory
Coast has ten different valid country code level bit squats.
And so, you know, what's sort of possible with this? Well, we've registered a domain
name based on the Kremlin.ru domain. But instead of .ru, we registered .re, which is Reunion
Island. And we got this request for a news page, basically. And so I pulled up the corresponding
page inside of the Kremlin.ru page just to show that, yes, this was a real news page
that someone was requesting, but they were coming to Kremlin.re instead, which we weren't
going to be able to serve that content.
I have here another domain that we registered for this test. Europa.eu is the European parliament.
And so we registered Europa.mu. And you can see we're getting a bunch of MX requests here
for Europa.mu. These are all valid subdomains at Europa.eu, by the way.
Here is some SIP DNS requests from the German federal government. So we registered a couple
different domains there.
Bunn.ee, which also happens to be a typo squat as well as a bit squat. But we also
registered Bunn.dm, and we were seeing similar things out of both of those. I think I might
have another example.
Yeah, here's some MX requests. If you were to look up the IP addresses on some of these,
you'll note that some of these requests were coming from inside of the government of Germany
itself.
So what about all the new generic top level domains that are coming out?
What could be possible there? Well, using some of these previous techniques, you could
actually register a bit squat, which would allow you to bit squat the entire top level
domain. And I've got a few here. I think one of the most interesting out of this list
is .exchange, which is supposed to be used for financial exchanges. So if you were able
to register this xj.ge in Georgia, you could potentially receive bit squats for any domain
registered under .exchange.
There's some other bit squats that are possible in the new generic top level domains. These
are based on the letter O. And you can see I've got several here like .boo, .bio, and
the corresponding country code top level domain where those bit squats exist, as well
as ones based on the letter C. So I'll leave these here as reference.
So something more about the CCTL bit squats. There were some interesting ones, and you
would think at a domain name registry like .uk where they only allow protected ‑‑ it's
a fairly protected registrar. You can only register third level domains at .uk. It's
got to be something .co.uk, .net.uk, and so on. So it turns out that .uk has a one
bit error and you become .tk. And so I started looking at what was available at .tk. And
there's several of these. Probably the most interesting one is .tk. So I started looking
at the M.O.D., which is the Ministry of Defense in the U.K. So I could ‑‑ I didn't register
this. I think they've registered it now, so it's not available anymore. But M.O.D.tk
was available for a while, and you could have potentially been eavesdropping on the
Ministry of Defense. But there's several others, and these all match the corresponding
second level registration at .uk. So you could potentially get quite a lot of traffic there.
So just ‑‑
Okay.
Just kind of closing up here, you know, this is obviously ‑‑ there's a lot of domains
out there which are possible to bit squat, and even in protected registries like .gov
and so on. So far the current mitigations were to use ECC memory or buy up all the
domains so that no one else could register it. But I think that there's some better
ways around that. So one of the ways that we actually saw used
in practice, and I don't know that they were necessarily doing this on purpose, was Amazon
used this as a way to ‑‑ I don't know if you've heard of it, but Amazon used it as
kind of a roving domain sort of defense here. And if you look at the source code from some
Amazon pages, you'll notice that they have this domain cloudfront.net. And normally the
O in cloud front would make these perfect bit squat domains based on the letter O flipping
to a slash in the country code.cl, which is Chile. But what they do is if you look
at that third level host name, that third level host name changes every time they recompile
some code there. I don't know exactly why. But they do that. And then they change that.
it changes, but it changes about every month. And so if you were to go out and register
one of these domain names, you probably wouldn't get much traffic in the month before it changes.
So I thought that was an interesting defense. I also noticed that a lot of these bit squatting
problems happen as a result of URLs in web applications. And so limiting the amount of
times that the URL actually appears can help you. So instead of using absolute links, if
you use relative links, then you're not going to be putting the domain name in the link.
And web pages are stored in memory basically the exact same way that they're written originally.
So that can help you. And also using capital letters, there's less ‑‑ these are some
other ‑‑ the capital letters don't have the same equivalent bit squats as lowercase.
So using capital letters in some cases can help you avoid certain bit squats. But possibly
the best mitigation is a response policy zone.
So with a response policy zone, you can do a lot of things. You can do a lot of things.
With a response policy zone, you configure your DNS server to look for requests that
might be one bit different. And I have an example here of PayPal. If you had an RPZ,
you might look at a request coming to you for Raypal and think that's probably a one
bit error and I'm going to silently return from my DNS resolver no such domain. Or maybe
redirect them to a walled garden. So in that case, you do have to be careful of false positives,
though, like this raypal.com is a real site. So to that end, you definitely have to monitor
for false positives when you're using this technique. But configuring this at your DNS
resolver basically takes DNS out from the ability of the attackers to be able to register
the domains in the first place or de‑incentivizes that. And to that extent, we do have a RPZ
generation script. So if you have a list of fully qualified domain names you want to turn
into an RPZ and deploy on your resolver. We're releasing a list of fully qualified
domain names. We're releasing a Perl script to help you do that. It's also going to be
available on the Cisco blog page. I've got a blog page that's coming out just in a little
bit here in about ten minutes. And you'll be able to download the code from there as
well. So I hope that you found some of these new bit squatting attacks interesting and
I really hope that people are going to go out and try to do something as far as fixing
up the resolvers and making this problem go away. Because if more people did that, then
bit squatting wouldn't really be ‑‑
An issue at all. So thank you.
